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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

• If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to communication(s) filed on 05 November 2004 . 
2a)D This action is FINAL. 2b)l3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
Disposition of Claims 

4) (3 Claim(s) 1-4.6.9,12-14.19-22,24.27.30-32.45.52.53 and 55-76 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) M Claim(s) 1-4.6.9.12-14.19-22.24,27.30-32.45.52.53 and 55-76 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) 13 The drawing(s) filed on 20 May 2004 is/are: a)H accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

1 1) D The proposed drawing correction filed on is: a)D approved b)D disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) D The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§119 and 1 20 

13) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a)DAII b)D Some*c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 119(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 
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1 ) Notice of References Cited (PTO-892) 4) □ Interview Summary (PTCM1 3) Paper No(s). , 

2) CD Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) \Z\ Notice of Informal Patent Application (PTO-1 52) 

3) O Information Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) O Other: 
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DETAILED ACTION 

Response to Arguments 

1. In response to communications filed on 1 1/5/2004, Applicant cancels claims 7, 8, 10, 1 1, 
15-18, 28, 29, 33-39, 41-44, 46-51, and 54; and amends claims 1, 3, 4, 9, 12, 13, 19-22, 30, 45, 
52, 53, and 55-57. Applicant adds claims 58-76. The following claims 1-4, 6, 9, 12-14, 19-22, 
24, 27, 30-32, 45, 52, 53 and 55-76 are presented for examination. 

2. Applicant's remarks, pages 19-23, filed on 1 1/5/2004, with respect to the rejection of 
claims 1-57 have been fully considered, but they are moot in view of a new ground of rejection. 
Applicant amends claims 1, 3, 4, 9, 12, 13, 19-22, 30, 45, 52, 53, and 55-57 and adds claims 58- 
76. Upon further consideration, a new ground of rejection is made in view of Calvignac. 

Claim Objections 

3. Claim 31 is objected to for being dependent from claim 28, which is a canceled claim. 
To avoid rendering the claim indefinite, appropriate correction is requested. 

Claims 1 and 19 are objected to because of the following informalities: after performing 
"the unconditional" should be —an unconditional disregard — or —the disregard instruction—. To 
avoid rendering the claim indefinite, appropriate correction is requested. 
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Claim 2 is objected to because of the following informalities: "an" resource should be — 
a- resource. 

Claim Rejections - 35 USC §102 

4. A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another 
filed in the United States before the invention thereof by the applicant for patent, or on an 
international application by another who has fulfilled the requirements of paragraphs (1), 
(2), and (4) of section 371(c) of this title before the invention thereof by the applicant for 
patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) and the Intellectual Property and High Technical Amendments Act of 2002 do not 
apply when the reference is a U.S. patent resulting directly or indirectly from an international 
application filed before November 29, 2000. Therefore, the prior art date of the reference is 
determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre-AIPA 35 U.S.C. 
102(e)). 



4. 1 Claims 1-4, 6, 9, 12-14, 19-22, 24, 27, 30-32, 45, 52, 53 and 55-76 are rejected under 35 
U.S.C. 102(e) as being anticipated by US Patent 6,539,394 to Calvignac et al. 



4.2 As per claims 1, 19, Calvignac et al discloses a method and a system (see figure 1) that 
meets the recitation of the system of claim 19 comprising input/output interface, processor, 
memory system encoding with authorization program, authorization database, and 
interconnection mechanism coupling the above list, for providing access control in a computing 
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system environment, the method/system comprising the steps of receiving an access request, for 
example (see column 1, lines 30-67); selecting, based on the access request, a selected set of 
rules containing at least one rule from a master set of rules, for example (see column 1, line 30 
through column 2, line 22 and column 3, lines 25-56); and producing an access control decision 
based on performing rule operations in a given rule of the selected set of rules by sequentially 
performing rule operations in the given rule until performing a disregard instruction, the 
disregard instruction including disregard criteria identifying a type of other rule operations in the 
selected set of rules to disregard from performing, for example (see column 3, lines 25-56 and 
figures 3A-3D); Calvignac et al provides detailed explanation of figures 3A-3D in columns 6-8 
in performing a disregard instruction including disregard criteria identifying a type of other rule 
operations in the selected set of rules to disregard from performing that meets the recitation of 
claims 1, and 19. Calvignac et al also after performing the unconditional disregard instruction 
in the given rule: evaluating the disregard criteria against any remaining unperformed rule 
operations in other rules of the selected set of rules, the other rules being rules other than the 
given rule: ii) marking any remaining unperformed rule operations in the other rules of the 
selected set of rules that match the disregard criteria to be disregarded from further rule 
processing, for example (see column 7, lines 5-32; column 7, line 49 through column 8, line 47 
and figures 3A-3D); and iii) executing remaining unmarked rule operations in the other rules in 
the selected set of rules, for example (see column 7, line 49 through column 8, line 47 and 
figures 3A-3D). 
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As per claim 45, CaMgnac et al discloses a method for controlling applicability of rule 
operations in a rule-based access control system, the method comprising the step of: selecting at 
least two rules for performance to determine an access control decision, the at least two rules 
including a first rule and a second rule, for example (see column 8, lines 24-47 and figures 3A- 
3D); Calvignac et al discloses at least one rule operation in the second rule other than the 
disregarded rule operation is performed that meets the recitation of performing a rule operation 
in the first rule of the at least two rules, the rule operation including a disregard instruction that 
when performed, causes non-performance of at least one other rule operation in the second that is 
disregarded based on the disregard instruction and performing at least one rule operation in the 
second rule other than the at least one rule operation in the second rule that is disregarded, for 
example (see column 8, lines 24-47 and figures 3A-3D). 

Claim 52 recites similar limitation as claim 45 except for limiting performance to fewer 
than all rule operations in a second rule of the selected set of rules. Calvignac et al also discloses 
that some of the rules not all will still be performed in a second rule of the selected set of rules, 
for example (see column 8, lines 24-47 and figures 3A-3D). Therefore, claim 52 is rejected on 
the same rationale as the rejection of claim 45. 

Claims 58 and 63, recite the same inventive concept as claims 1 and 45. Therefore, they 
are rejected on the same rationale as the rejection of claims 1 and 45. 
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As per claims 70 and 76, Calvignac et al discloses a method for providing access 
control in a computing system environment, the method comprising: receiving an access request 
to access data in the computing system environment, for example (see column 1, lines 30-67); 
comparing the access request to a master rule set, each rule in the master rule set including a 
filter and a corresponding set of rule operations to be performed pending evaluation of the filter 
condition, for example (see figures 3A-3D; see also columns 6-8); and for each rule containing a 
filter operation that evaluates to indicate execution of rule operations of that rule, executing the 
rule operations of that rule, for example (see figures 3A-3D; see also columns 6-8); during 
execution of rule operations of that rule, executing a first conditional disregard instruction that 
establishes a first set of pre-conditions that must be met in successive rules in the master rule set 
in order for those successive rules to be executed after the rule containing the first conditional 
disregard instruction has been executed, for example (see figures 3A-3D; see also columns 6-8); 
and executing at least one successive rule in the master rule set for which the access request 
meets the filters of those successive rules, and for which the first set of pre-conditions 
established by executing the first conditional disregard instruction are also met, for example (see 
figures 3A-3D; see also columns 6-8). 

As per claims 2 and 20, Calvignac et al discloses the limitation of wherein the step of 
performing includes the step of producing an access control decision indicating whether to allow 
access, on behalf of a requestor submitting the access request, to a resource in the computing 
system environment, for example (see column 4, lines 21-57; and column 1, line 30 through 
column 2, line 22). 
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As per claims 3 and 21, Calvignac et al discloses the limitation of wherein the step of 
selecting includes the steps of determining an identity of the resource in the computing system 
environment to which access is requested in the access request; and applying at least one filter 
operation, using the identity of the resource, for rules in the at least one master set of rules to 
produce the selected set of rules for use in determining the access control decision for the 
resource, for example (see column 4, lines 21-57; and column 1, line 30 through column 2, line 
22). 

As per claims 4 and 22, Calvignac et al discloses in one embodiment using the source 
IP address to determine the role identity of the requestor in combination with the destination 
address and destination port to determine the access control decision to the resource that meets 
the recitation of further including the step of determining a role identity of a requestor submitting 
the access request, for example (see column 4, lines 21-57; and column 1, line 30 through 
column 2, line 22) and wherein the step of applying applies the at least one filter operation, using 
the role identity of the requestor submitting the access request in combination with the identity of 
the resource, for rules in the at least one master set of rules to produce the selected set of rules 
for use in determining the access control decision to the resource, for example (see column 4, 
lines 21-57; and column 1, line 30 through column 2, line 22). 

As per claims 6 and 24, Calvignac et al discloses the limitation of wherein the selected 
set of rules is arranged hierarchically such that rules containing rule operations that are more 
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specific are performed before rule operations that are more general, for example (see column 7, 
lines 49 through column 8, line 23; and column 3, lines 20-56; column 6, lines 34-62). 

As per claims 9 and 27, Calvignac et al discloses the limitation of wherein the step of 
selecting includes the steps of determining an identity of a resource in the computing system 
environment to which access is requested in the access request, for example (see column 4, lines 
21-57; and column 1, line 30 through column 2, line 22); and applying at least one filter 
operation, using the identity of the resource, for rules in the at least one master set of rules to 
produce the selected set of rules for use in determining the access control decision to the 
resource, for example (see column 4, lines 21-57; and column 1, line 30 through column 2, line 
22); and wherein the method further includes the step of determining a role identity of a 
requestor submitting the access request, for example (see column 4, lines 21-57; and column 1, 
line 30 through column 2, line 22); and wherein the step of performing includes sequentially 
processing each rule operation in the selected set of rules using the role identity of the requestor 
submitting the access request in combination with the identity of the resource to determine if the 
requestor using the role identity can access the resource, for example (see column 8, lines 24-47 
and column 7, line 49 through column 8, line 23; and column 3, lines 20-56; column 6, lines 34- 
62); 



As per claims 12 and 30, Calvignac et al discloses the limitation of wherein the selected 
set of rules is arranged hierarchically such that rules containing rule operations that are more 
specific are performed before rules containing rule operations that are more general such that 
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placement of the disregard instruction in one of the at least one rules in the selected set of rules 
causes the step of performing to control an amount of access control provided to the requestor 
that submitted the access request for access to a respective resource, for example (see column 7, 
lines 49 through column 8, line 23; and column 3, lines 20-56; column 6, lines 34-62). 

As per claims 13 and 31, Calvignac et al discloses the limitation of wherein the 
disregard instruction is a conditional instruction that has a condition that must be met before the 
disregard instruction is performed, for example (see column 7, lines 49-67). 

As per claims 14 and 32, Calvignac et al discloses in one embodiment an example of a 
group of system administrators that meet the recitation of the limitation of wherein at least one 
rule in the selected set of rules contains a relation that defines a condition based on a group 
definition; and wherein at least one of the steps of selecting and performing includes the step of 
performing the relation to determine if at least one of a requestor, an access, and a resource 
specified in the access request satisfy the condition based on the group definition, for example 
(see column 4, lines 21-57). 

As per claim 53, Calvignac et al discloses the limitation of wherein the filter operation 
is an IF-THEN operation and performance of the IF-THEN operation provides an indication 
whether to perform at least one of the multiple rule operations in the first rule, for example (see 
column 7, line 49 through column 8, line 23). 
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As per claim 55, Calvignac et al discloses the limitation of wherein the disregard 
instruction is a conditional disregard instruction, which limits a performance of other rule 
operations in multiple rules other than the first rule in the selected set of rules depending on 
occurrence of a corresponding condition as specified by the disregard criteria in the disregard 
instruction, for example (see column 7, line 49 through column 8, line 47). 

As per claim 56, Calvignac et al discloses the limitation of performing at least one 
other rule operation in the first rule as well as other rules in the selected set of rules after 
performing the conditional disregard instruction, for example (see column 8, lines 24-47 and 
figures 3A-3D). 

As per claim 57, Calvignac et al discloses the limitation of wherein performance of the 
IF-THEN operation includes identifying whether an application generating the access request 
uses a particular resource in the storage system as well as whether a requestor associated with the 
access request is a member of a particular specified group and, if so, performing the rule 
operations in the first rule, for example (see column 4, lines 21-57). 

As per claim 59, Calvignac et al discloses the limitation of comparing disregard criteria 
in a data field associated with the conditional disregard rule operation to data in other rule 
operations to identify which other rule operations in the selected set of rules to disregard from 
performance, for example (see column 8, lines 24-47 and figures 3A-3D). 
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As per claim 60, Calvignac et al discloses the limitation of wherein a field of data in the 
conditional disregard rule operation specifically identifies a first type of rule operations that are 
to be disregarded from execution in the set of rules, execution of the conditional disregard rule 
not having any affect on whether to perform a second type of rule operations in the set of rules, 
for example (see column 8, lines 24-47). 

Claim 61 recites the same inventive concept as claim 1 and is rejected on the same 
rationale as the rejection of claim 1 . 

As per claim 62, Calvignac et al discloses the limitation of using exact match that will 
that results in termination of performing any other rule operations in the selected set of rules and 
further discloses combining exact matches with ranges of values that meets the recitation of 
further comprising during processing of the set of rules, performing an unconditional disregard 
rule operation in the set of rules that results in termination of performing any other rule 
operations in the selected set of rules, for example (see column 2, lines 40-45 and column 5, lines 
28-35). 

As per claim 64, Calvignac et al discloses the limitation of wherein selecting the first set 
of rules and the second set of rules includes applying a respective first filter and a second filter to 
identify whether to select the first set of rules and the second set of rules for execution, for 
example (see column 8, lines 23-47; and column 6, lines 34-62). 
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As per claim 65, Calvignac et al discloses the limitation of after disregarding execution 
of at least one rule operation in the second set of rules as identified by the disregard rule 
operation in the first set of rules, performing at least one rule operation in the second set of rules 
not associated with the disregard rule operation, for example (see column 8, lines 24-47 and 
figures 3A-3D). 

As per claim 66, Calvignac et al discloses the limitation of following completion of 
executing the first set of rules and the second set of rules, generating an access control decision 
whether to permit the access request, for example (see column 8, lines 24-47 and figures 3A-3D). 

As per claims 67-69, claims 67-69 recite the same limitation as claims 60-62 
respectively except for using a first and second set of rules instead of set of rules. Calvignac et 
al discloses the invention with multiple sets of rules (see rejection of claim 52). Therefore they 
are rejected on the same rationale as the rejection of claims 60-62. 

As per claim 71, Calvignac et al discloses the limitation of wherein executing only the 
successive rules in the master rule set comprises: executing a second conditional disregard 
instruction that establish a second set of pre-conditions that must also be met in addition to the 
first set of pre-conditions established by the first disregard instruction for any remaining 
successive rules in the master rule set to be executed, for example (see column 8, lines 24-47 and 
figures 3A-3D). 
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As per claim 72, Calvignac et al discloses the limitation of wherein pre-conditions 
established by execution of the conditional disregard instructions indicate a type of data upon 
which rule operations of successive rules in the master rule set operate that are not to be executed 
during execution of the successive rules in the master rule set, for example (see column 8, lines 
24-47 and figures 3A-3D). 

As per claim 73, Calvignac et al discloses the limitation of wherein the filter of at least 
one rule: in the master rule set includes a test of whether an application associated with the access 
request uses a particular resource associated with the request, for example (see column 4, lines 
21-57; and column 1, line 30 through column 2, line 22). 

As per claim 74, Calvignac et al discloses the limitation of wherein the filter of at least 
one rule in the master rule set includes a test of whether at least two resources associated with the 
access request are connected to each other, for example (see column 4, lines 21-57; and column 
1, line 30 through column 2, line 22), Calvignac et al discloses at least two resources connected 
to each other that can be associated with the access request. 

As per claim 75, Calvignac et al discloses the limitation of skipping execution of those 
successive rules in the master rule set for which the access request does not meet the filters of 
those successive rules, and for which the first and second set of pre-conditions established by 
executing the first and second disregard instructions are not met, for example (see column 8, 
lines 24-47 and figures 3A-3D). 
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Conclusion 



5. 



The prior art made of record and not relied upon is considered pertinent to applicant's 



disclosure as the art discloses disregard instructions comprising multiple set of rules. Many of 
the claimed features are present in these references. 



US Patent Publication : US2004/0 1 58744 Deng et al. 

5. 1 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 571-272-3862. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 
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